Have you taken an overzealous approach to GDPR?
So, here we are, after years of anticipation the GDPR implementation date has finally passed…and the earth is still here. Despite scaremongering and misinterpretation, businesses have not ceased to function as of 25th May 2018. However, implementing GDPR incorrectly, whether you take an overzealous approach or fail to implement key standards could have a seriously detrimental impact on your firm’s bottom line. This article is focused on those who have taken an over-zealous approach to compliance.
Now is the perfect opportunity to sit back and take stock of what you have achieved (or not, as the case may be) and double check you have not “over-applied” the rules.
In this article we have identified a few of the key areas where, in our experience, firms are over-compliant. You should read this article, check you have not done the same and if you need any further clarification, you can always ask us!
Additionally we’ll be tackling more of these areas in our upcoming GDPR ½ day seminar on 13 June in Central London.
Business to Business Marketing
Some firms have re-sent consent requests where they intend to contact current or ex customers of their business in order to achieve further sales. This is not necessary and deleting contacts following a failure to obtain consent could have serious cost implications to the firm.
Yes, a person’s details such as their email address (even a work email address), constitutes personal data under GDPR so we need to consider our lawful basis for processing the data. However, it is clear we are able to rely not only on consent for marketing. In certain situations, we are able to rely on legitimate interests as the basis for processing the data. Therefore consent is not required. In fact this scenario is specifically called out in the relevant ICO guidance.
Of course you do need to ensure they are “informed” and it is a good idea to comply with the privacy and electronic communications regulations.
There are a couple of mis-conceptions in relation to privacy notices, firstly, that ALL current data subjects will need one before 25 May. This is not actually the case where you have already supplied a GDPR compliant notice, for example, at the point of signing up to your service.
The reality is that many firms would not have sent a GDPR compliant privacy notice containing the information required in Articles 12-14, however, you may be surprised how close you were.
Secondly, in the list of third parties to whom you may send the data, it’s worth noting that in the GDPR text it does allow firms to state “categories of” firms, where this can be justified. Essentially GDPR recognises that, in some situations, it is impossible or impractical to provide a comprehensive list of data processors.
Thirdly, it should be noted who the obligation to send privacy notices rests on. The obligation is that of the controller – not the processor.
A departure from the previous data protection legislation is the now explicit requirements to keep accountable. However, some firms have over-interpreted this requirement to mean that every action the firm takes must be logged via an audit trail. While that is good practice, what you actually need to do is:
adopt and implement data protection policies;
take a ‘data protection by design and default’ approach;
put written contracts in place with organisations that process personal data on your behalf;
maintain documentation of your processing activities, Article 30 requires you to record the purposes for which you process data, data sharing and retention;
implement appropriate security measures;
record and, where necessary, report personal data breaches;
carry out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
appoint a data protection officer (where required); and
adhere to relevant codes of conduct and sign up to certification schemes
Really, there hasn’t been a significant shift in the rules around security. It’s just that under GDPR the regulatory consequences of failing to ensure data is kept secure has, somewhat, focused the minds of controllers.
Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be 'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures' which is not materially different to previous legislation.
Having said that, you do need to consider the above alongside Article 32 of the GDPR, which provides more specifics on the security of your processing. Article 32(1) states: ‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’